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(54) E-commerce security processor alignment logic 

(57) Provided is an architecture for a cryptography 
accelerator chip that allows significant performance im- 
provements over previous prior art designs. The chip ar- 
chitecture enables a degree of parallel processing of au- 
thentication and encryption/decryption functions 
achieved by an alignment logic configuration that distin- 
guishes portions of a non-pre-padded network security 
protocol (e.g., SSL (v3) or TLS) packet requiring one 
and/or another operation (authentication and/or encryp- 
tion) to permit single pass processing of non-pre-pad- 
ded network security protocol data. In some embodi- 
ments, processing efficiency may be further enhanced 
by the pipelining of successive packets to be processed. 
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Description 

CROSS-REFERENCE TO RELATED APPLICATIONS 

[0001] This application claims priority under U.S.C. 
119(e) from U.S. Provisional Application No. 
60/235,1 90, entitled "E-Commerce Security Processor," 
as of filing on September 20, 2000, the disclosure of 
which is herein incorporated by reference for all purpos- 
es. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention. 

[0002] The present invention relates to the field of 
cryptography, and more particularly to an integrated cir- 
cuit chip architecture and method for cryptography ac- 
celeration. 

2. Description of the Related Art 

[0003] Many methods for performing cryptography 
processing are well known in the art and are discussed, 
for example, in Applied Cryptography, Bruce Schneier, 
John Wiley & Sons, Inc. (1 996, 2nd Edition), incorporat- 
ed by reference in its entirety for all purposes. In order 
to improve the speed of cryptography processing, spe- 
cialized cryptography accelerators have been devel- 
oped that typically out-perform similar software imple- 
mentations. Examples of such cryptography accelera- 
tors include the Hi/fn™ 7751 , the VLSI™ VMS115, and 
the BCM™ 5805 manufactured by Broadcom, Inc. of 
San Jose, CA. 

[0004] Many cryptography protocols incorporate en- 
cryption/decryption and authentication functionalities. 
These include the IP layer security standard protocol, 
IPSec (RFC2406). and other network security protocols 
Secure Socket Layer (SSL) (v3) (Netscape Communi- 
cations Corporation) (referred to herein as SSL) and 
Transport Layer Security (TLS) (RFC 2246), all com- 
monly used in electronic commerce transactions. IPSec 
(RFC2406) specifies two standard algorithms for per- 
forming authentication operations, HMAC-MD5-96 
(RFC2403) and HMAC-SHA1 -96 (RFC2404). SSL and 
TLS use a MAC and an HMAC, respectively, for authen- 
tication. The underlying hash algorithm in either case 
can be either MD5 (RFC1321) or SHA1 (NIST (FIPS 
180-1)). SSL and TLS deploy such well-known algo- 
rithms as RC4, DES, triple DES for encryption/decryp- 
tion operations. These network protocols are also de- 
scribed in detail in E. Rescorla, SSL and TLS: Designing 
and Building Secure Systems (Addison -Wesley, 2001) 
and S. A. Thomas, SSL & TLS Essentials: Securing the 
Web (John Wiley & Sons, Inc. 2000), both of which are 
incorporated by reference herein for all purposes. These 
protocols and their associated algorithms are well 
known in the cryptography art and are described in detail 



in the noted National Institute of Standards and Tech- 
nology (NIST), IETF (identified by RFC number) and 
other noted sources and specifications, incorporated 
herein by reference for all purposes. 

5 [0005] Fig. 1 shows a block diagram of a cryptography 
processing system hardware implementation suitable 
for cryptography protocols incorporating encryption/de- 
cryption and authentication functionalities. The hard- 
ware for the cryptography processing is implemented as 

10 a stand-alone cryptography processing chip 1 02 and in- 
corporated into a standard processing system 1 00. The 
cryptography processing chip 102 includes encryption 
105 and authentication 106 components, and resides 
on an expansion card 1 04 connected to a standard PCI 

15 bus 108 via a standard on-chip PCI interface. Data to 
be cryptography processed moves to and from the cryp- 
tography processing chip 1 02 via the PCI bus 1 08. The 
processing system 100 also includes a processing unit 
1 1 0 and a system memory unit 1 1 2. The processing unit 

20 no and the system memory unit 112 may be attached 
to the system bus 1 08 via a bridge and memory control- 
ler 114. A LAN interface 116 attaches the processing 
system 1 00 to a local area network and receives packets 
for processing and writes out processed packets to the 

25 network. Likewise, a WAN interface 118 connects the 
processing system to a WAN, such as the Internet, and 
manages in-bound and out-bound packets, providing 
automatic security processing for IP packets. 
[0006] Efficient hardware implementations for 

30 processing IPSec data packets are known, including 
parallel authentication and encryption/decryption 
processing implementations such as a described in co- 
pending application No. 09/510,486. Such parallel 
processing hardware implementations of IPSec data 

35 are facilitated by the fact that IPSec MACs are not en- 
crypted and therefore the data can bepre-padded. Such 
parallel processing of encryption and authentication op- 
erations allows for a reduction of transmissions into and 
out of the cryptography processing chip across the PCI 

40 bus to a single pass (i.e., data for cryptography process- 
ing in; cryptography processed data out), resulting in 
more efficient utilization of the PCI bus 108. 
[0007] Other network security protocol packets, such 
as SSL and TLS packets, however, are not pre-padded, 

45 and are therefore not amenable to the same parallel 
processing hardware implementations as IPSec data. 
According to such implementations, two passes across 
the PCI bus (i.e., one pass in and out for each of the 
authentication and encryption/decryption operations) 

50 would be required. This heavy data transmission re- 
quirement would increase traffic and potentially create 
a bottleneck at the PCI bus 108, thereby substantially 
impacting the extent to which hardware implementation 
of cryptography processing could improve processing 

55 efficiency for such non-pre-padded network security 
protocol packet data. 

[0008] Thus, the development of a hardware imple- 
mentation configured to reduce the number of transmis- 
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sions in and out of a cryptography processing chip 
across a PCI bus would be desirable in orderto improve 
the efficiency of the cryptography processing of non- 
pre-padded network security protocol packets. 

SUMMARY OF THE INVENTION 

[0009] In general, the present invention provides an 
architecture for a cryptography accelerator chip that al- 
lows significant performance improvements in network 
security protocol data packet processing over previous 
designs. The chip architecture enables a degree of par- 
allel processing of authentication and encryption/de- 
cryption functions achieved by an alignment logic con- 
figuration that distinguishes portions of a non-pre-pad- 
ded network security protocol packet (e.g., an SSL or 
TLS packet) requiring one and/or another operation (au- 
thentication and/or encryption) to permit single pass 
processing of data. In some embodiments, processing 
efficiency may be further enhanced by pipelining suc- 
cessive packets to be processed. 
[0010] In one aspect, the invention provides a method 
of processing non-pre-padded network security protocol 
data packets. The method involves providing a cryptog- 
raphy processing architecture on a chip and passing 
non-pre-padded network security protocol data for both 
authentication and cryptography operations from a 
source to the chip. On the chip, conducting, in hardware, 
authentication and encryption operations on the net- 
work security protocol data, and passing the cryto-proc- 
essed network security protocol data from the chip to 
the sou rce. The network security protocol data is passed 
between the chip and the source in a single pass. 
[0011] In another aspect, the invention provides a 
cryptography accelerator chip architecture. The archi- 
tecture includes an authentication component, an en- 
cryption component, and a pad engine computing and 
outputting pad length and bytes to said encryption com- 
ponent. 

[0012] In a further aspect, the method and chip archi- 
tecture of the present invention may be implemented in 
an electronic commerce computer network system. 
[0013] These and other features and advantages of 
the present invention will be presented in more detail in 
the following specification of the invention and the ac- 
companying figures which illustrate by way of example 
the principles of the invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0014] The present invention will be readily under- 
stood by thefollowing detailed description in conjunction 
with the accompanying drawings, in which: 

Fig. 1 is a high-level block diagram of a system im- 
plementing a cryptography accelerator chip. 

Fig. 2 is a tabular representation of the format of an 



SSL packet. 

Fig. 3 is a block diagram of a cryptography acceler- 
ator chip architecture in accordance with one em- 
5 bodiment of the present invention. 

Fig. 4 is a register block diagram showing concep- 
tual memory storage describing the alignment logic 
used to implement an embodiment of the present 
10 invention. 

Fig. 5 is a FIFO representation describing the align- 
ment logic used to implement an embodiment of the 
present invention. 

15 

Fig. 6 is a high-level block diagram of a system im- 
plementing a cryptography accelerator chip in ac- 
cordance with one embodiment of the present in- 
vention. 

20 

DETAILED DESCRIPTION OF THE INVENTION 

[0015] Reference will now be made in detail to some 
specific embodiments of the invention including the best 

25 modes contemplated by the inventors for carrying out 
the invention. Examples of these specific embodiments 
are illustrated in the accompanying drawings. While the 
invention is described in conjunction with these specific 
embodiments, it will be understood that it is not intended 

30 to limit the invention to the described embodiments. On 
the contrary, it is intended to cover alternatives, modifi- 
cations, and equivalents as may be included within the 
spirit and scope of the invention as defined by the ap- 
pended claims. In the following description, numerous 

35 specific details are set forth in order to provide a thor- 
ough understanding of the present invention. The 
present invention may be practiced without some or all 
of these specific details. In other instances, well known 
process operations have not been described in detail in 

40 order not to unnecessarily obscure the present inven- 
tion. 

[0016] In general, the present invention provides an 
architecture for a cryptography accelerator chip that al- 
lows significant performance improvements in network 

45 security protocol data packet processing over previous 
designs. The chip architecture enables a degree of par- 
allel processing of authentication and encryption/de- 
cryption functions achieved by an alignment logic con- 
figuration that distinguishes portions of a non-pre-pad- 

50 ded network security protocol (e.g., SSL or TLS) packet 
requiring one and/or another operation (authentication 
and/or encryption/decryption) to permit single pass 
processing of the non-pre-padded network security pro- 
tocol data. In some embodiments, processing efficiency 

55 may be further enhanced by pipelining successive pack- 
ets to be processed. 

[0017] The invention will now be further described 
with reference to a particular non-prep-padded network 
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security protocol, SSL (v3) (referred to herein as SSL). 
It should be understood that the invention is applicable 
beyond SSL to other non-pre-padded network security 
protocols, for example, TLS, generally to permit single 
pass processing of authentication and encryption/de- 
cryption data. The format of SSL data is represented 
(outbound direction) in Fig. 2 with "x" indicating that an 
operation (authentication or encryption) is required on 
that portion of the SSL packet. SSL encryption requires 
computation of a message authentication code 
("MAC"). As indicated by the arrow, computation of the 
MAC requires as input the Content Type, Length and 
Data portions of the SSL packet (as noted above, TLS 
uses an HMAC in which the Version is included in the 
computation; other aspects of the authentication and 
encryption of TLS data are similar to SSL as it relates 
to the present invention). Therefore, as noted above, 
conventional implementations use two passes across 
the PCI bus to crypto process SSL data, one for authen- 
tication and one for encryption. 

[0018] The present invention implements a degree of 
parallel processing of encryption/decryption and au- 
thentication operations through alignment logic on the 
cryptography processing chip that allows for receipt of 
all SSL packet portions by the chip, padding and align- 
ment, cryptographic processing, and transmission of the 
cryptography processed data out of the chip in a single 
pass overthe PCI bus. This alignment logic is described 
with reference to the chip block diagram, register block 
diagram showing conceptual memory storage, and 
FIFO representation depicted in Figs. 3. 4 and 5, respec- 
tively. 

[001 9] Fig. 3 is a block diagram of a cryptography ac- 
celerator chip architecture in accordance with one em- 
bodiment of the present invention. The chip may reside 
on an expansion card. The chip architecture 300 in- 
cludes authentication and encryption (also handling de- 
cryption) components. The authentication component 
302 includes an authentication alignment block 304 that 
receives data for cryptography processing from a sys- 
tem front end 301 . for example, off a network via a PCI 
bus. In the authentication alignment block 304, non-val- 
id bytes are removed from the data stream and the data 
is packed and aligned for input into an authentication in 
FIFO buffer 306. In one embodiment the FIFO is 32 bits 
wide (but may be of any other suitable width, e.g., 64 
bits). 

[0020] As described in further detail with reference to 
Figs. 4 and 5, the portions of the data packet are loaded 
into the FIFO 306 in the order received, and authentica- 
tion operations are performed on the data when suffi- 
cient data is received for the operation to begin. In the 
case of SSL, both of the supported authentication pro- 
tocols, MD5 and SHA1 , specify that data is to be proc- 
essed in 512-bit blocks. As defined in the MD5 and 
SHA1 specifications, if the data in a packet to be proc- 
essed is less than a multiple of 512 bits, padding is ap- 
plied to round-up the data length to a multiple of 512 bits. 



[0021] Once 512 bits or a complete packet worth of 
data padded to a multiple of 51 2 bits have been loaded 
into the FIFO 306, a 51 2-bit data block is transferred to 
the authentication engine 308 : and authentication 

5 processing begins. Depending on the implementation of 
the authentication engine, processing may begin before 
all 512 bits are loaded into the FIFO 306 (e.g., process- 
ing may begin once a 32 bit word is loaded in a 32 bit 
Fl FO), but processing of the block may not be complet- 

10 ed until all 51 2 bits of the block are loaded. As noted in 
connection with Fig. 2, SSL encryption requires compu- 
tation of a message authentication code ("MAC"), and 
computation of the MAC requires as input the Content 
Type, Length and Data portions of the SSL packet. The 

15 architecture and alignment logicof the present invention 
are configured to take the authenticated Content Type, 
Length and Data from the authentication component 
and feed it back into the alignment block of the cryptog- 
raphy component 352. In this way, some partial parallel 

20 authentication and encryption processing is enabled, as 
described further below. The authentication component 
302 of the chip architecture 300 also has an authentica- 
tion out Fl FO 31 0 for the final authentication hash for an 
inbound packet (decryption). 

25 [0022] The encryption component 352 of the architec- 
ture 300 also includes an encryption (also handling de- 
cryption) alignment block 354 that receives data for 
cryptography processing from a front end source 301 , 
and also feedback, illustrated by arrow 309, of the cal- 

30 culated MAC from the authentication engine 308 of the 
authentication component 302 for parallel processing. 
In addition, in order to properly process the data, the 
encryption ("crypto") alignment block requires the Pad 
and Pad Length to be added if a block cipher (e.g., DES, 

35 3DES, etc.) is used. This data is provided by a pad en- 
gine 330. The pad engine 330 calculates the pad length 
and provides the Pad Length calculation and appropri- 
ate number of Pad bytes to the cryptography alignment 
block. As described further below in connection with 

40 Figs. 4 and 5, in the alignment block354, non-valid bytes 
are removed from the data stream and the data is 
packed and aligned for input into a cryptography in FIFO 
buffer 356. 

[0023] For decryption of inbound packets, the data is 
45 received at the cryptography alignment block 354 and 
decrypted by processing through the crypto engine 358, 
before being fed back to the authentication alignment 
block for processing through the authentication compo- 
nent, as illustrated by arrow 359. The part of the encrypt- 
50 ed packet that contains the MAC value and the padding 
added by the other sender is not fed back to the authen- 
tication alignment block. The pad engine 330 is not in- 
volved in the decryption processing. 
[0024] Fig. 4 is a register block diagram showing con- 
55 ceptual memory storage to describe the alignment logic 
used to implement the cryptography alignment aspect 
of an embodiment of the present invention, accom- 
plished by encryption alignment block 354 of Fig. 3. This 
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representation depicts SSL data in the outbound direc- 
tion. In this example, the register 400 is 32 bits (4 8 bit 
bytes) wide, but, as noted above, may be implemented 
in other widths consistent with the present invention. 
The data in the register represent those portions of the 
SSL format that are required for the encryption opera- 
tion. Each row of the register contains a single portion 
type. In this example, the Data portion (D) is just 3 bytes, 
and the fourth byte of the Data row in the register is a 
non-valid byte. The MAC (M) is 128 bits (16 bytes) of 
data. The Pad (P) is of a size, indicated by a Pad Length 
byte (L) and generated by a Pad Engine on the chip, to 
pad the total size of the data portions to be processed 
through the encryption operation. The total size require- 
ment varies with the particular encryption engine used. 
In the case of DES (or3DES), an even number of words 
is required and the data to be processed is typically pad- 
ded to a multiple of 64 bits since DES operates on data 
blocks of that size. 

[0025] Referring to Fig. 5, for efficient processing, the 
data portions represented in Fig. 4 are loaded into a 
FIFO buffer 500 (equivalent to FIFO 356 in Fig. 3) to 
await encryption processing. Proper loading of the FIFO 
requires packing of the data to eliminate non-valid bytes. 
Fig. 5 shows the data depicted in the example of Fig. 4 
packed into a FIFO buffer to illustrate an aspect of the 
alignment logic used to implement an embodiment of 
the present invention. The depicted FIFO 500 is 32 bits 
wide and is loaded and read in the direction of the arrow 
502. In the example shown, the data from the register 
400 is aligned into six 32-bit rows in the FIFO 500, there- 
fore representing three DES data blocks. 
[0026] Referring again to Fig. 3, in the case of DES, 
64 bit data blocks are passed from the cryptography in 
FIFO 356 to the cryptography engine 358 for processing 
as soon as they are received in properly aligned form. 
The encrypted result is passed from the cryptography 
engine to a cryptography out FIFO 360 for output form 
the cryptography component of the chip architecture 
300. 

[0027] Further efficiency may be achieved by pipelin- 
ing data from subsequent packets to be processed. That 
is, as the authentication component 302 of the architec- 
ture 300 completes calculation of the MAC and feeding 
it back to the crytpo component alignment block 354 for 
the last (or only) 51 2-bit data block of a packet, the data 
requiring authentication for the next packet received 
from the front end 301 is loaded into the authentication 
alignment block304, processed and passedto the align- 
ment in FIFO 306 so that authentication processing of 
the next packet of data may begin before encryption of 
the previously authenticated block is complete. 
[0028] Fig. 6 is a high-level block diagram of a system 
implementing a cryptography accelerator chip architec- 
ture in accordance with one embodiment of the present 
invention. The system implements the alignment logic 
of the present invention, described above. The hard- 
ware for the cryptography processing is implemented as 



a stand-alone cryptography accelerator chip 602 and in- 
corporated into a standard processing system 600. The 
cryptography accelerator chip 602 includes encryption 
605 and authentication 606 components, and resides 

5 on an expansion card 603 connected to a standard PCI 
bus 608 via a standard on-chip PCI interface. The chip 
also includes a pad engine 607 for calculating the pad 
length and providing the Pad Length calculation and ap- 
propriate number of Pad bits to the cryptography align- 

10 ment blockto enable efficient alignment and processing 
of cryptography data, as described above. The process- 
ing system 600 includes a processing unit 610 and a 
system memory unit 612. The processing unit 610 and 
the system memory unit 61 2 may be attached to the sys- 

15 tern bus 608 via a bridge and memory controller 614. A 
LAN interface 616 attaches the processing system 600 
to a local area network and receives packets for 
processing and writes out processed packets to the net- 
work. Likewise, a WAN interface 618 connects the 

20 processing system to a WAN, such as the Internet, and 
manages in-bound and out-bound packets, providing 
automatic security processing for packets. 
[0029] As described above, this chip architecture en- 
ables a degree of parallel processing of authentication 

25 and encryption/decryption functions achieved by an 
alignment logic configuration that distinguishes portions 
of a non-pre-padded network security protocol (e.g.. 
SSL or TLS) packet requiring one and/or another oper- 
ation (authentication and/or encryption/decryption) to 

30 permit single pass processing of non-pre-padded net- 
work security protocol data. The architecture configura- 
tion receives and efficiently processes authentication 
and encryption data transmitted to the cryptography ac- 
celerator chip over the PCI bus in a single pass, obviat- 

35 ing the need for separate passes of authentication and 
cryptography data in prior designs. 
[0030] A further advantage achieved by the present 
invention is to reduce some of the processing load from 
the off-chip processor. In conventional cryptography 

40 chip designs, alignment and padding functions are per- 
formed on the processor and the aligned and padded 
data is sent over the PCI bus to the cryptography chip 
for cryptography processing. The architecture of the 
present invention performs alignment and padding on 

45 the cryptography chip thereby reducing the load on the 
processor, reducing the amount of data to be sent 
across the PCI bus and the number of passes required 
to complete cryptography processing. 

50 CONCLUSION 

[0031] Although the foregoing invention has been de- 
scribed in some detail for purposes of clarity of under- 
standing, those skilled in the art will appreciate that var- 
55 jous adaptations and modifications of the just-described 
preferred embodiments can be configured without de- 
parting from the scope and spirit of the invention. For 
example, one of skill in the art will understand that other 
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non-pre-padded network security protocols having anal- 
ogous formats to SSL as it pertains to this invention (e. 
g., TLS) may be used. Therefore, the described embod- 
iments should be taken as illustrative and not restrictive, 
and the invention should not be limited to the details giv- 
en herein but should be defined by the following claims 
and their full scope of equivalents. 



Claims 

1. A method of processing network security protocol 
data packets, comprising: 

providing a cryptography processing architec- 
ture on a chip; 

passing non-pre-padded network security pro- 
tocol data for both authentication and cryptog- 
raphy operations from a source to said chip; 

conducting, in hardware, authentication and 
encryption, operations on the network security 
protocol data; and 

passing the cryto-processed network security 
protocol data from said chip to said source; 

wherein said non-pre-padded network secu- 
rity protocol data is passed between said chip and 
said source in a single pass. 

2. A method according to claim 1 , wherein said net- 
work security protocol is SSL (v3). 

3. A method according to claim 1 , wherein said net- 
work security protocol is TLS. 

4. A method according to any preceding claim, further 
comprising simultaneously with conducting the 
cryptography operations on the data, pre-loading 
network security protocol data from a second non- 
pre-padded network security protocol packet onto 
the chip. 

5. A method according to any preceding claim, further 
comprising simultaneously with conducting the en- 
cryption operations on the data, conducting, in 
hardware, authentication operations on the network 
security protocol data from the second network se- 
curity protocol packet. 

6. A method according to any preceding claim, where- 
in said conducting, in hardware, authentication and 
encryption operations on the non-pre-padded net- 
work security protocol data comprises conducting 
padding and alignment operations on the chip. 



7. A method according to any preceding claim, where- 
in said calculation of a pad length for padding oper- 
ations is conducted by a pad engine component of 
the chip architecture. 

5 

8. A method according to any preceding claim, where- 
in said conducting, in hardware, authentication and 
encryption operations on the network security pro- 
tocol data comprises feeding back a MAC value cal- 

10 culated during authentication operations for 
processing in the encryption operations. 

9. A method according to any preceding claim, where- 
in said encryption operations further include de- 

15 cryption operations. 

10. A method according to claim 9, wherein conducting, 
in hardware, authentication and decryption opera- 
tions on the network security protocol data compris- 

20 es feeding back decrypted data for processing in 
the authentication operations. 

1 1 . A cryptography accelerator chip architecture, com- 
prising: 

25 

an authentication component; 

an encryption component; and 

30 a pad engine computing and outputting pad 

length and pad to said encryption component. 

12. A cryptography accelerator architecture according 
to claim 11 , wherein said architecture is configured 

35 to process non-pre-padded network security proto- 
col packets. 

13. A cryptography accelerator architecture according 
to any of claims 1 1 -12, wherein said chip resides on 

40 an expansion card. 

14. A cryptography accelerator architecture according 
to any of claims 11-13, wherein said authentication 
component comprises an alignment block, an au- 

45 thentication data input buffer, and an authentication 
engine. 

15. A cryptography accelerator architecture according 
to any of claims 11-14, wherein said encryption 

50 component comprises an alignment block, an en- 
cryption data input buffer, and an encryption engine. 

16. A cryptography accelerator architecture according 
to any of claims 11-15, wherein said architecture is 

55 configured to process SSL data. 

17. A cryptography accelerator architecture according 
to any of claims 11-15, wherein said architecture is 
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configured to process TLS data. 

1 8. An electronic commerce computer network system, 
comprising: 

5 

a front end data source; 

a PCI bus connecting said front end data 
source to a cryptography accelerator chip ar- 
chitecture as claimed in claim 11 . 10 

1 9. A system according to claim 18, wherein said front 
end data source comprises: 

one or more network interfaces; 15 

a processor connected with said interfaces; 

a memory connected with said processor; and 

20 

a bridge and memory controller connected with 
said processor and memory. 

20. A system according to any of claim 1 8-1 9, wherein 
said chip resides on an expansion card. 25 

21 . A system according to any of claims 1 8-20, wherein 
said architecture is configured to process network 
security protocol packets. 

30 

22. A system according to any of claims 1 8-21 , wherein 
said authentication component comprises an align- 
ment block, an authentication data input buffer, and 
an authentication engine. 

35 

23. A system according to any of claims 1 8-22, wherein 
said encryption component comprises an alignment 
block, an encryption data input buffer, and an en- 
cryption engine. 

40 

24. A system according to any of claims 1 8-23, wherein 
said network security protocol is SSL (v3). 

25. A system according to any of claims 1 8-23, wherein 
said network security protocol is TLS. 45 
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